A new investigation has uncovered that companies tied to China’s state-backed hacking group Hafnium have filed over a dozen patents for spyware and surveillance tools. These Hafnium spyware patents expose a deeper, more structured cyber espionage network than previously understood.
The findings come from cybersecurity firm SentinelOne, following a 2025 indictment by the U.S. Department of Justice (DOJ) against two Chinese nationals—Xu Zewei and Zhang Yu. The DOJ charged them with hacking Microsoft Exchange servers, stealing COVID-19 research, and compromising thousands of systems globally.
From research theft to patented hacking tools
According to SentinelOne, firms linked to Hafnium have filed patents for:
- Tools that hack Apple devices
- Software that collects router metadata
- Systems for controlling smart home devices
- Methods for extracting encrypted data from iOS systems
These tools were never publicly tied to Hafnium before. Their sudden visibility through patent filings reveals an alarming shift: Hafnium’s reach isn’t limited to underground cyber operations—it’s also embedded in registered businesses with official addresses, leadership teams, and employees moving between government contractors and private tech firms.
Public companies, private motives
Rather than hiding in the shadows, some Hafnium-linked entities operated in plain sight. For example:
- Xu Zewei moved from Powerock (linked to the Microsoft hack) to Chaitin Tech and then to Shanghai GTA Semiconductor.
- Zhang Yu, now CEO of Shanghai Firetech, leads one of the firms filing patents for Apple forensics and encrypted data access.
- Another hacker, Yin Kecheng, worked at Shanghai Heiying, reportedly founded by Zhou Shuai, a patriotic hacker and underground data broker.
These connections paint a picture of Hafnium not as a standalone group but as part of a broader contractor ecosystem supporting China’s Ministry of State Security (MSS).
Surveillance at ground level
Some of the patented tools suggest direct, closer-to-the-victim surveillance, such as tools for infiltrating personal devices and home networks. This indicates that China’s offensive cyber capabilities may extend beyond remote attacks to physical proximity operations.
“The variety of tools under the control of Shanghai Firetech exceeds those publicly attributed to Hafnium,” said Dakota Cary of SentinelLabs.
“These capabilities may be sold across regional MSS offices, making attribution difficult.”
Conclusion
The Hafnium spyware patents shed new light on China’s cyber operations. Rather than acting alone, Hafnium appears to operate through a network of companies that build and patent offensive cyber tools. These revelations challenge traditional threat actor attribution and raise the need for global cybersecurity frameworks to look beyond hacker aliases—and into corporate structures, government ties, and public paper trails.
0 responses to “Hafnium spyware patents expose Chinese cyber espionage network”